Is Security Certification Worth it?

Submitted by justin on Mon, 08/25/2008 - 15:32.

A host of computer security certification exist, covering quite a range of topics. At some point in every security professionals career they look at certification and begin to weigh their value. I have given my own take on certification some thought and come up with the following recommendations based on my own experience.

Certification hinges on two things, the test and the certifying body. Certification, in the end, stands as independent verification that you passed a test. The test criteria and the respectability of the certifying body determine the value of the test to others.

Personally, when I interview someone I don't give a second look at the certifications they have. I look for experience that proves the assertions the certifications make. Proving you can apply knowledge that a certification tests is much more difficult than just getting a certification.

I have to applaud the CEPT because it has a practical portion that is unstructured, that forces you to apply your knowledge. If all certifications had this sort of component fewer people would be certified but certification would be worth a lot more.

That said, in the end I think demonstrable knowledge and skill are much more important than a certification, but then again I'm not working in a big box corporation. For large organizations, the HR departments will insist on some sort of rubber stamp they can use to weed out candidates. So if that sort of job is your goal, certifications are great.

Certifications are also good if you're freelance or doing consulting. Having certifications stand in good stead for references (which are probably better). However, having lots of certifications will make your client feel more confident about you, and allows them to justify their investment in your services to their superiors. Like the saying goes, nobody ever got fired for choosing the Gartner pick.

Outside of consulting and big corporations though, in that other murky realm inhabited by your peers, a certification is going to be worth the paper it's printed on. Other security professionals, especially those who are familiar with certifications, view certifications with quite a bit of skepticism. Proving to this audience that you know your stuff will require quite a bit more. In this arena I would say a published article is worth a lot more than a certification. Working on an open source project, producing white papers, publishing exploits and the like will go a lot farther to prove your credibility than producing a certification that shows you memorized the answers to a hundred multiple choice questions.

Of course, going to a hiring officer at a large company and saying "I published the remote root compromise of servers running foobar 1.2" will probably just get you a blank look. On the flip side, if you do something like that, someone might just come looking for you with a job offer. I never heard of anyone trolling the CISSP registrations looking to hire their next rock star though...

Reg's are bull

Submitted by Anonymous Coward (not verified) on Fri, 08/29/2008 - 03:45.

I have come across many many CIISP's who are basically clueless technically. Certs are mostly about your ability to take in large amounts of info and remembering it for two weeks til the exam. I want a hands on guy before a CISSP any time.

Read full-disclosure et al. and be amazed by the posts/questions/comments some of these über certified guys ask, are really depressing. I just met a guy (Technical Manager) for Security vuln scan co. who dident knoow what "robots.txt" & I blew his mind with Google hack 101..were??

Certs aren't so bad

Submitted by Jason Haddix (not verified) on Fri, 09/12/2008 - 05:58.

Hey Justin,

I agree certs on an individual basis don't get you the job, but they sure do get you interviews. Being familiar with the HR process you learn (as you said) that HR HAS to weed out candidates. In my surveys of big business HR, having bona fide, recognizable certs, like the CISSP or SANS/GIAC really put you at the top of that paper pile. Most companies will stress every possible domain needed for their positions but rarely expect candidates to meet all of them. I believe that almost every person who has a CISSP/GIAC cert has at least the minimum knowledge for an entry level infosec job. There are always exceptions to the rule, but Adam Savage (of mythbusters fame) said finished a famous quote this year at HOPE that i feel applies to these certs..

"Jack of all trades, master of none, though often better than a master of one"

anyways, just my 2c

Ill keep reading if you keep blogging!

-Jason

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Captcha Image: you will need to recognize the text in it.
Please type in the letters/numbers that are shown in the image above.